Microsoft has moved to patch a vulnerability in its ‘Word’ program in order to stop hackers and scammers from exploiting it to spread bank account snooping malware.

What’s Been Happening?

Emails containing Microsoft RTF [Rich Text Format] attachments, loaded with the trojan malware associated with a £20m British bank account theft 2 years ago, have recently been sent to millions of recipients across numerous organisations (primarily in Australia).

The scam, which was discovered by cyber-security firm Proofpoint, relied upon human error to click on the attachment to trigger the malware, and upon a “zero day” vulberability (a flaw / unknown exploit) that could allow the malware program to run.

The reports of this incident prompted Microsoft to release a patch to Word which should stop the same thing from happening again.

Arrived By Email

The malware-loaded Microsoft documents were sent to their targets by emails from "<[device]@[recipient’s domain]>". The ‘device’ part of the sender’s address was "copier", "documents", "noreply", "no-reply", or "scanner", and the subject line read "Scan Data". The attachments were named "Scan_123456.doc" or "Scan_123456.pdf", where "123456" was replaced with random digits.

What Kind of Vulnerability In Word?

The zero-day vulnerability in Microsoft Word (until the patch) meant that Microsoft RTF [Rich Text Format] Word documents laden with macros i.e. full of small malicious programs (rather than the normal customisable shortcut programs), could load malware onto the computer without users having to enable macros for the exploit to execute.

This means that, after clicking on an infected RTF Word document email attachment, and despite the presentation of a dialog box, the malware would load immediately onto the computer, and would fully exploit the recipient’s computer to achieve its ‘snooping’ aim.

The vulnerability affects Microsoft Office, including the latest Office 2016 edition running on Windows, but it is not clear whether Word for Mac is affected.

What Does The Malware Do?

The malware in this recent incident is reported to have been “Dridex”. This is a notoriously sneaky trojan program that snoops on the recipient’s bank account details and logins, and then sends them back to the attackers.
In past incidents, this has resulted in lots of small transaction amounts being taken from a victim’s bank account over time.

The Patch

As of Tuesday 11th April, Microsoft customers who have updates enabled should receive the patch automatically.

What Does This Mean For Your Business?

This is another example of how cyber-criminals are using a combination of social engineering, macros, and other elements to achieve their aims. The fact that this scam requires the human error of clicking on attachments means that businesses can help to protect themselves by educating staff not to open unknown files, and not to download content from untrusted sources.

In this case, as well as recommending that businesses apply the patch as soon as possible (provided that they have release version of Service Pack 2 for Office 2010 installed on the computer ), some security experts are also recommending the complete blocking of RTF documents in Microsoft Word via the File Block Settings in the Microsoft Office Trust Center.